Re: Issues with sshd writing to the kernel keyring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well you would need a mechanism to have multiple keyrings associated
with each different
SELinux label.  With potentially more depending on if there are multiple
UIDs with a single
SELinux label.

On 02/03/2015 08:37 AM, George Karakougioumtzis wrote:
> What if there would exist a central module responsible for handling the
> keyrings? It could expose a netlink socket or a dbus interface, or tcp
> socket(most likely since there is network authentication with
> ipa/kerberos) for various like login,sssd or kerberos to
> subscribe/communicate and get notified about events and then create the
> keyrings with a context? Well thats definitely not selinux'ish strictly
> speaking but a more general problem.
> On 02/02/2015 07:10 PM, Daniel J Walsh wrote:
>> On 02/01/2015 06:50 AM, George Karakougioumtzis wrote:
>>> Its not an actual answer but rather an idea based upon Dan's mail. What
>>> if pam_keyring would be patched to supply the correct label? Just food
>>> for thought
>> pam_keyring supplies the keyring of the logged in user, but in several cases
>> we have other entities creating keyrings, like sssd, or services like
>> gssd. 
>> If the keyring is a UID based keyring, it does not necessarily follow
>> SELinux
>> rules.  Can I have multiple uid=0 keyrings which are separated?  We are
>> havin
>> major problems with containers and the keyring.  Where we basically want a
>> separate keyring for each container even if the containers are all
>> running with the
>> same UID.
>>> On 02/01/2015 02:00 PM, selinux-request@xxxxxxxxxxxxxxxxxxxxxxx wrote:
>>>> Send selinux mailing list submissions to
>>>> 	selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>> 	https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> or, via email, send a message with subject or body 'help' to
>>>> 	selinux-request@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>> You can reach the person managing the list at
>>>> 	selinux-owner@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>> When replying, please edit your Subject line so it is more specific
>>>> than "Re: Contents of selinux digest..."
>>>>
>>>>
>>>> Today's Topics:
>>>>
>>>>    1. Re: Issues with sshd writing to the kernel keyring
>>>>       (Jason L Tibbitts III)
>>>>
>>>>
>>>> ----------------------------------------------------------------------
>>>>
>>>> Message: 1
>>>> Date: Sat, 31 Jan 2015 15:45:31 -0600
>>>> From: Jason L Tibbitts III <tibbs@xxxxxxxxxxx>
>>>> To: Daniel J Walsh <dwalsh@xxxxxxxxxx>
>>>> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Subject: Re: Issues with sshd writing to the kernel keyring
>>>> Message-ID: <ufay4oi1v5w.fsf@xxxxxxxxxxxxxxxxxxxxx>
>>>> Content-Type: text/plain
>>>>
>>>>>>>>> "DJW" == Daniel J Walsh <dwalsh@xxxxxxxxxx> writes:
>>>> DJW> The labelling of the kernel keyring has never been handled
>>>> DJW> correctly.  The keyring gets created with a label based on the
>>>> DJW> creating object then all sorts of other confined domains end up
>>>> DJW> using the same keyring.
>>>>
>>>> Ah, that makes a lot of sense.  I have managed to get around it by
>>>> restarting things, but knowing that whatever creates the keyring
>>>> specifies the label does explain what I'm seeing, including the rare
>>>> startup race.
>>>>
>>>> Do you know if it's possible to somehow look at the kernel keyring and
>>>> see the labeling of things?  /proc/keys doesn't tell me.
>>>>
>>>> DJW> I would just allow the access.  You should open a bug with
>>>> DJW> selinux-policy to allow sshd_t to write to the gssd_t keyring.
>>>>
>>>> I reopened the existing bug, which was on F20 (and seemingly solved
>>>> there) but which didn't get carried over to F21 somehow.  That is
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1063827
>>>>
>>>> I can open a new ticket if that would be better.
>>>>
>>>>  - J<
>>>>
>>>>
>>>> ------------------------------
>>>>
>>>> --
>>>> selinux mailing list
>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>> End of selinux Digest, Vol 132, Issue 1
>>>> ***************************************
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux